[Samba] Issues demoting a samba DC.
Michael Tokarev
mjt at tls.msk.ru
Sun Jan 8 11:04:29 UTC 2023
Hello!
I'm trying to remove a DC from our samba domain (samba 4.17.4).
It was the primary controller (with FSMO roles), - I successfully
transferred the roles to another DC. Now it's time to demote:
ai# samba-tool domain demote -U mjt-adm
Using svdcp.tls.msk.ru as partner server for the demotion
Password for [TLS\mjt-adm]:
Deactivating inbound replication
Asking partner server svdcp.tls.msk.ru to synchronize from us
Changing userControl and container
Error while demoting, re-enabling inbound replication
ERROR(ldb): Error while renaming CN=AI,OU=Domain Controllers,DC=tls,DC=msk,DC=ru to CN=AI,CN=Computers,DC=tls,DC=msk,DC=ru - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <acl:access_denied renaming CN=AI,OU=Domain Controllers,DC=tls,DC=msk,DC=ru> <>
mjt-adm is a user with admin rights (domain admins group) in the dc.
It is interesting I can not use Administrator account for this,
it asks for the password twice, and refuses to work saying
login is incorrect, even if the same password works for
smbclient.
Now, after the first attempt to demote, some things doesn't work
right, eg:
ai# samba-tool drs showrepl
ERROR(runtime): DsReplicaGetInfo of type 0 failed - (8453, 'WERR_DS_DRA_ACCESS_DENIED')
(it definitely worked at least before the FSMO roles transfer).
Should I force-remove it from another DC?
Thanks,
/mjt
More information about the samba
mailing list